Webhooks
Subscribe to LYNKS platform events and receive real-time HTTP callbacks to automate your integration workflows.
Introduction
Webhooks allow your application to react to events happening in LYNKS in real time. Instead of polling the API to check for changes, LYNKS sends an HTTP POST request to your configured endpoint whenever a subscribed event occurs — such as a payment being processed by the bank or a new bank statement becoming available.
Any system that can receive HTTP requests can subscribe to LYNKS webhook events, making this integration approach suitable for ERP systems, custom applications, and automation platforms.
Webhook setupWebhook configuration requires setup by Finologee's support team. Contact [email protected] to assess your infrastructure requirements and configure webhook subscriptions for your tenant.
Prerequisites
Webhooks are available to API users and require your endpoint to be reachable over HTTPS. Before requesting setup, ensure your system can:
- Accept inbound HTTPS POST requests from LYNKS servers
- Parse a JSON request body
- Validate HMAC-SHA256 request signatures
No specific LYNKS user permission is required to receive webhooks, but the integration must be configured by Finologee's support team for your tenant.
How webhooks work
When a subscribed event occurs in LYNKS, the platform sends an HTTP POST request to your configured endpoint. Your application receives the event payload, processes it, and responds with an HTTP 2xx status code to acknowledge receipt.
If your endpoint does not return a 2xx response, LYNKS retries the delivery using exponential backoff.
| Step | Action |
|---|---|
| 1 | An event occurs in LYNKS (e.g., payment processed by bank) |
| 2 | LYNKS sends an HTTP POST to your configured endpoint |
| 3 | Your application receives and processes the event payload |
| 4 | Your application returns HTTP 2xx to acknowledge receipt |
| 5 | On failure, LYNKS retries with exponential backoff |
Supported events
You can subscribe to the following events:
| Event | Object type | Description |
|---|---|---|
| Payment processed by bank | Credit transfer | Payment successfully executed by the bank |
| Payment approved by signatories | Credit transfer | Payment received all required signatures |
| Payment failed | Credit transfer | Payment failed during processing |
| Payment rejected by bank | Credit transfer | Bank rejected the payment |
| Payment cancelled | Credit transfer | Payment was cancelled |
| Direct debit batch completed collection | Direct debit | Direct debit batch collection completed |
| Direct debit batch failed | Direct debit | Direct debit batch failed during processing |
| Direct debit batch rejected | Direct debit | Direct debit batch was rejected |
| Account statement received | Account statement | New bank statement received for an account |
Webhook payload
Each webhook delivery is an HTTP POST request with a JSON body containing the event details.
Payload structure
{
"eventId": "01946f4c-88e8-7dd4-8179-6bfc3b873e4e",
"eventObject": "TRANSACTION",
"event": "TRANSACTION_PROCESSED_BY_BANK",
"timestamp": "2025-01-16T14:30:00Z",
"data": {
"creditTransferId": "123"
},
"links": {
"self": "https://tenant.lynks.lu/v2/credit-transfers/123"
}
}| Field | Description |
|---|---|
eventId | Unique identifier for this webhook delivery |
eventObject | The type of object the event relates to (e.g., TRANSACTION, DIRECT_DEBIT_GROUP, ORDERING_PARTY) |
event | The specific event that occurred (e.g., TRANSACTION_PROCESSED_BY_BANK) |
timestamp | ISO 8601 timestamp of when the event occurred |
data | Object containing the identifier of the affected resource |
links.self | API URL to retrieve full details of the affected resource |
Signature verification
Each webhook request includes an X-Signature-SHA256 header containing an HMAC-SHA256 signature. You should verify this signature to confirm the request originates from LYNKS and has not been tampered with.
To verify the signature:
- Extract the value from the
X-Signature-SHA256header. - Compute an HMAC-SHA256 of the raw request body using your shared secret.
- Compare your computed signature with the header value.
Always verify signaturesProcess only webhook requests with a valid signature. Requests with missing or invalid signatures should be rejected to protect your integration from spoofed events.
Technical specifications
Delivery specifications
| Property | Value |
|---|---|
| Protocol | HTTPS |
| Method | POST |
| Content type | application/json |
| Authentication | HMAC-SHA256 signature (X-Signature-SHA256 header) |
| Retry policy | Fixed backoff (5 seconds between retries) |
| Maximum retries | 3 attempts |
| Data retention | 1 year |
Endpoint requirements
Your webhook endpoint must:
- Be accessible over public HTTPS
- Return an HTTP
2xxresponse within a reasonable timeout - Handle duplicate deliveries idempotently (in case of retries)
Best practices
Follow these recommendations for a reliable webhook integration:
- Respond immediately — Return HTTP
2xxas soon as you receive the request, before performing any processing. Use asynchronous processing for any business logic to avoid timeout failures. - Handle retries idempotently — Use the
eventIdfield in the payload to detect and deduplicate retries, so the same event is not processed more than once. - Always verify signatures — Validate the
X-Signature-SHA256header on every incoming request before processing the payload. - Use the
links.selfURL — Fetch the full resource details from the API using the provided link rather than relying solely on the webhook payload data. - Log all incoming events — Keep a log of received webhook payloads for debugging and audit purposes.
- Test before going live — Validate your endpoint with a sandbox tenant before enabling webhooks in production.
Related documentation
Explore related sections to deepen your understanding:
Core Concepts
Platform Features
- Outgoing payments - Credit transfers and payment statuses
- Direct debit - Collections and mandate management
- Reports - Bank statements and account statement events
Core Concepts
Support
For assistance with webhook setup, endpoint configuration, or troubleshooting delivery failures, contact the Finologee support team at [email protected].
Updated about 8 hours ago